ldap group search

Discussion:

ldap group search

(too old to reply)

Charles Ahart

2006-02-06 19:25:25 UTC

Can anyone tell me if there is a way to search the ldap for all the
groups for a given member including the groups that a user belongs to by
way of other nested groups? For example if I have a user John Smith who
is a member or group1 and group1 is a member of group2 and group2 is
a member of group3, I need to know that John Smith is ultimately a
member or group1 (directly) and group2 and group3 (indirectly). If
there is no way to do this with an ldapsearch are there any third party
tools or applications that will do this?

j***@us.ibm.com

2006-02-07 15:07:40 UTC

Permalink

Assuming you are using IBM Tivoli Directory Server, see the Admin Guide
topic on "Determining group membership" here:
http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.IBMDS.doc/admin_gd24.htm#wq1331

Look for the example on using ldapsearch to retrieve the ibm-allgroups
operational attribute. It lists all groups an entry is a member of. This
should work for v4.1 and later.

John

Charles Ahart

2006-02-07 18:12:12 UTC

Permalink

Thanks for the response John. The only problem is that doesn't report
the groups that the user is a member of by way of nested groups. So if
John Smith is a member of Group1 and Group1 is a member of Group2 when I
do the search using ibm-allgroups I only get Group1 as a result.

Post by j***@us.ibm.com
Assuming you are using IBM Tivoli Directory Server, see the Admin Guide
http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.IBMDS.doc/admin_gd24.htm#wq1331
Look for the example on using ldapsearch to retrieve the ibm-allgroups
operational attribute. It lists all groups an entry is a member of. This
should work for v4.1 and later.
John

j***@us.ibm.com

2006-02-07 21:36:35 UTC

Permalink

ibm-allgroups should report all groups the user is a member of - static,
dynamic or nested - and on my server (an i5/OS port of v5.2) it works as
advertized. I have seen cases where people are doing the search under an
identity that doesn't have authority to see all the results (e.g.
anonymous search). ibm-allgroups (or ibm-allmembers) only returns the DNs
of entries that you have authority to see, and in the case of dynamic
groups, is also affected by your authority to evaluate the memberurl
filter (and the attributes of the entries matching the filter).

Here's a sample from my server.

The groups:

cn=groupofnames,o=sandbox
objectclass=groupOfNames
objectclass=top
member=uid=jmcmeek,o=sandbox
cn=grouofnames
cn=groupofnames

cn=groupofurls,o=sandbox
objectclass=groupOfURLs
objectclass=top
cn=groupofurls
memberurl=ldap:///o=sandbox??sub?(uid=j*)

cn=childgroup,o=sandbox
objectclass=groupOfNames
objectclass=top
member=uid=jmcmeek,o=sandbox
cn=childgroup

cn=parentgroup,o=sandbox
objectclass=container
objectclass=top
objectclass=ibm-nestedGroup
ibm-membergroup=cn=childgroup,o=sandbox
cn=parentgroup

Now do a search to see the groups that uid=jmcmeek,o=sandbox is a member

ldapsearch -D cn=administrator -w password -b uid=jmcmeek,o=sandbox

"(objectclass=*)" ibm-allgroups
uid=jmcmeek,o=sandbox
ibm-allgroups=CN=GROUPOFNAMES,O=SANDBOX
ibm-allgroups=CN=CHILDGROUP,O=SANDBOX
ibm-allgroups=CN=PARENTGROUP,O=SANDBOX <== has cn=childgroup as a member
group
ibm-allgroups=CN=GROUPOFURLS,O=SANDBOX

Charles Ahart

2006-02-10 18:50:27 UTC

Permalink

Thanks very much for this explanation. I didn't realize we had to use
the ibm-nestedGroup auxillary class when creating the group. I tried
this out on our TDS 6.0 server and it works just as you say. This will
help.

Post by j***@us.ibm.com
ibm-allgroups should report all groups the user is a member of - static,
dynamic or nested - and on my server (an i5/OS port of v5.2) it works as
advertized. I have seen cases where people are doing the search under an
identity that doesn't have authority to see all the results (e.g.
anonymous search). ibm-allgroups (or ibm-allmembers) only returns the DNs
of entries that you have authority to see, and in the case of dynamic
groups, is also affected by your authority to evaluate the memberurl
filter (and the attributes of the entries matching the filter).
Here's a sample from my server.
cn=groupofnames,o=sandbox
objectclass=groupOfNames
objectclass=top
member=uid=jmcmeek,o=sandbox
cn=grouofnames
cn=groupofnames
cn=groupofurls,o=sandbox
objectclass=groupOfURLs
objectclass=top
cn=groupofurls
memberurl=ldap:///o=sandbox??sub?(uid=j*)
cn=childgroup,o=sandbox
objectclass=groupOfNames
objectclass=top
member=uid=jmcmeek,o=sandbox
cn=childgroup
cn=parentgroup,o=sandbox
objectclass=container
objectclass=top
objectclass=ibm-nestedGroup
ibm-membergroup=cn=childgroup,o=sandbox
cn=parentgroup
Now do a search to see the groups that uid=jmcmeek,o=sandbox is a member

ldapsearch -D cn=administrator -w password -b uid=jmcmeek,o=sandbox

Continue reading on narkive:

Search results for 'ldap group search' (Questions and Answers)

replies

what are the must have freeware programs that are safe..or good ones to have?

started 2008-07-31 13:43:35 UTC

security

replies

what is DNS?what is Active Directory?what is patch file?

started 2006-10-10 03:15:22 UTC

computer networking

replies